httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Security tips and dictionary attacks with UserDir
Date Thu, 29 Jan 2004 00:07:20 GMT
On Wed, 28 Jan 2004, Paul D. Robertson wrote:

> >> UserDir disabled
> >> UserDir enabled probertson test foo
> >> UserDir public_html
> >> 
> >> This will stop Apache from disclosing which user-ids exist on a system,
> >> which attackers may use to figure out hidden, administrative or temporary
> >> ids which might be exploited by other non-Apache attack vectors, such as FTP
> >> or SSH.
> >> 
> >> =========end==========
> > 
> > Thanks. This is a good additional remark. Linking to this from the
> > security doc (or the other way around) might be good. I think the
> > security doc may already mention this.
> >
> 
> I didn't see a mention (unless there's a different document than
> security_tips that I missed?) so I'd be happy if it got added to the
> security doc.  I wrote it up internally due to the release of a tool which
> takes advantage of this being in the wild, but the less compromised machines
> there are out there, the better.

Oops. No. It's the public_html document that has this mentioned.

> Should diffs come to this list, or elsewhere?

Difs to the list is fine. 

> > On a related not, I'd like to discuss whether we want to have UserDir
> > disabled by default.
> > Pros) Improved default security
> > Cons) Increased tech support questions about enabling this feature
> 
> Given Apache's penetration into the corporate server space, I'd bet that
> less than 5% of servers rely on userdir (ISPs and geek colo boxes mostly)-
> so I'd bet that the fall-out wouldn't be huge (mostly folks who know how to
> turn it back on.)  But 5% of the Apache install base is a big number- if the
> original statements were commented out in the default config, the hurdle
> wouldn't be that high for the semi-clued.

I expect that the statistics are rather less skewed than this, but I
have no actual statistical support for this belief.

-- 
When we are young, wandering the face of the earth,
wondering what our dreams might be worth,
learning that we're only immortal for a limited time.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message